b"November 2007\nReport No. AUD-08-002\n\n\nExamination Procedures for Assessing\nSelected Controls Related to the\nProtection of Customer and Consumer\nInformation at Multi-regional Data\nProcessing Servicers (MDPS)\n\n\n\n\n            AUDIT REPORT\n\x0c                                                                                                     Report No. AUD-08-002\n                                                                                                            November 2007\n                                                Examination Procedures for Assessing Selected Controls\n                                                Related to the Protection of Customer and Consumer\n                                                Information at Multi-regional Data Processing\n                                                Servicers (MDPS)\n\n Background and Purpose of                      Results of Audit\n Audit\n                                                The FDIC has taken a number of proactive steps in its oversight of TSPs in the\n FDIC-insured financial institutions are        MDPS program. During our audit, the FDIC hosted the 2007 FFIEC MDPS\n increasingly outsourcing their critical        Supervisory Strategy Meeting, enhanced its monitoring of TSPs in the MDPS\n information technology services to             program, and conducted a number of outreach initiatives. Importantly, FDIC\n Technology Service Providers (TSP).            examiners use FFIEC and FDIC examination guidance when assessing security\n Frequently, these outsourcing                  controls related to the protection of customer and consumer information at TSPs\n arrangements involve the collection,           in the MDPS program. Additionally, as part of each examination, the examiners\n processing, and storage of customer and        considered the risk assessment of security controls prepared by the TSP in\n consumer information on behalf of              response to the interagency guidelines. However, the risk assessments for the\n financial institutions. The Bank Service       three TSPs we reviewed generally did not address the three security control\n Company Act provides federal bank\n                                                areas (oversight of TSP third-party service providers, incident response\n regulators with examination access to\n TSPs. TSPs that process mission-critical       programs, and the disposal of information) covered by our audit, and\n applications for a large number of             examination documentation we reviewed generally did not contain conclusions\n financial institutions with multiple           on security risks in these control areas. As a result, we were unable to\n regulators or geographically dispersed         determine whether related examination procedures performed at the three TSPs\n data centers are subject to interagency        reviewed were commensurate with the risk of unauthorized access to customer\n examination under the Federal Financial        and consumer information.\n Institutions Examination Council\xe2\x80\x99s\n (FFIEC) MDPS program and related               The FDIC can further ensure that TSP examination procedures are effective and\n examination guidance.                          efficient by more closely linking examination procedures to underlying\n Federal regulators published interagency       conclusions on risk in security control areas. In this manner, the FDIC would\n guidelines that established information        have greater assurance that customer and consumer information processed by\n security standards for financial institution   TSPs in the MDPS program is protected consistent with statutory and regulatory\n use in developing and implementing             requirements.\n safeguards to protect customer and\n consumer information. Those guidelines         Recommendations and Management Response\n implement statutory requirements for\n financial institutions intended to protect\n                                                We recommended that the Director, Division of Supervision and Consumer\n such information and to deter identity\n theft. Our audit focused on three selected     Protection: (1) provide conclusions on the risks for key security control areas in\n security control areas contained in the        FDIC examination documentation for examinations of TSPs in the MDPS\n guidelines: the oversight of TSP third-        program in order to provide greater assurance that examination procedures\n party service providers, incident response     performed are commensurate with identified risks and (2) conduct periodic\n programs, and the disposal of                  quality assurance reviews of examination documentation prepared by FDIC\n information.                                   examiners under the MDPS program to achieve greater assurance that MDPS\n                                                examination documentation contains risk determinations for key security control\n The audit objective was to assess the\n FDIC\xe2\x80\x99s implementation of FFIEC and             areas, procedures performed are commensurate with identified risk, and\n FDIC examination guidance for selected         examination processes are consistently applied across FDIC regions.\n controls related to the protection of\n customer and consumer information at           FDIC management agreed with both recommendations, noting that it has begun\n TSPs in the MDPS program. Of the 16            quality assurance reviews of documentation prepared by FDIC examiners for\n TSPs in the MDPS program, we sampled           examinations of TSPs in the MDPS program where the FDIC is the Agency-in-\n 3 of the 8 TSPs for which the FDIC             Charge. Further, the FDIC agreed to emphasize the importance of documenting\n served as the Agency-in-Charge for the         adequate conclusions for key security control areas.\n most recent examination.\n\nTo view the full report, go to\nwww.fdicig.gov/2008reports.asp\n\x0c                            TABLE OF CONTENTS\n\n\nBACKGROUND                                                                  1\n\nRESULTS OF AUDIT                                                            6\n\nASSESSING SECURITY RISKS RELATED TO THE PROTECTION OF                       6\nCUSTOMER AND CONSUMER INFORMATION\n\n  Recommendations                                                          10\n\nCORPORATION COMMENTS AND OIG EVALUATION                                    10\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                              11\n\nAPPENDIX II: LAWS, REGULATIONS, POLICY, AND GUIDANCE                       14\n\nAPPENDIX III: GLOSSARY OF TERMS                                            18\n\nAPPENDIX IV: CORPORATION COMMENTS                                          21\n\nAPPENDIX V: MANAGEMENT RESPONSE TO                                         23\nRECOMMENDATIONS\n\nFIGURES\n\nFigure 1. IT Booklets That Comprise the FFIEC IT Examination                4\n          Handbook\nFigure 2. Examination Objectives for Evaluating the Oversight of Service    7\n          Providers\nFigure 3. Components of a Response Program                                  8\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\nDATE:                                     November 30, 2007\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  Examination Procedures for Assessing Selected Controls\n                                          Related to the Protection of Customer and Consumer\n                                          Information at Multi-regional Data Processing Servicers\n                                          (MDPS) (Report No. AUD-08-002)\n\nThis report presents the results of our third audit in a series of audits relating to the\nFDIC\xe2\x80\x99s oversight of technology service providers (TSP). 1 The overall purpose of these\naudits is to assess the FDIC\xe2\x80\x99s examination coverage of TSPs and related efforts to protect\nthe customer and consumer information 2 of FDIC-supervised financial institutions. The\nobjective of this audit was to assess the FDIC\xe2\x80\x99s implementation of the Federal Financial\nInstitutions Examination Council (FFIEC) 3 and FDIC examination guidance for selected\ncontrols related to the protection of customer and consumer information at TSPs in the\nMDPS program. This audit focused on TSP controls in the following areas: (a) the\noversight of TSP agreements with third-party service providers that maintain customer\nand consumer information; (b) response programs for addressing security incidents\ninvolving customer and consumer information; and (c) the disposal of customer and\nconsumer information. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Appendix I discusses our audit\nobjective, scope, and methodology in detail. Appendix III contains a glossary of terms.\n\n\nBACKGROUND\n\nFDIC-insured financial institutions are increasingly turning to TSPs to outsource critical\ninformation technology (IT) services, such as deposit and general ledger processing,\ncheck processing and imaging, and Web hosting. Frequently, these outsourcing\n\n1\n   See Appendix I for a description of the scope and objectives for the two prior audits.\n2\n   Customer information refers to records containing nonpublic personal information about a customer, that\nis, someone who has a continuing relationship (e.g., savings account or loan) with a financial institution.\nConsumer information refers to records about an individual that, in general, are derived from consumer\nreports. See Appendix III for further information related to these terms.\n3\n   The FFIEC is an interagency body statutorily empowered to prescribe uniform principles, standards, and\nreport forms for the federal examination of financial institutions by the FDIC, the Board of Governors of\nthe Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Office of\nThrift Supervision (OTS), and the National Credit Union Administration (NCUA).\n\x0carrangements involve the collection, processing, and storage of customer and consumer\ninformation on behalf of financial institutions. While outsourcing offers financial\ninstitutions a number of important benefits, such as competitive advantages and cost-\nefficiencies, it also requires that appropriate steps be taken to ensure that TSPs adequately\nprotect customer and consumer information in their custody. Widely publicized reports\nof data security breaches involving sensitive personal information 4 have raised concerns\namong banking regulators, the public, and the Congress, and underscore the importance\nof implementing sound security controls to protect customer and consumer information.\n\nRequirements for Protecting Customer and Consumer Information\n\nTwo key statutes aimed at protecting sensitive personal information and preventing\nidentity theft are the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Fair and\nAccurate Credit Transaction Act of 2003 (FACT Act).\n\n    \xe2\x80\xa2   GLBA states that it is congressional policy that financial institutions have an\n        affirmative and continuing obligation to protect the security and confidentiality of\n        their customers\xe2\x80\x99 non-public personal information. The statute directs the FDIC\n        and other regulatory agencies to establish appropriate standards for the security\n        and confidentiality of customer records and information pertaining to financial\n        institution customers.\n\n    \xe2\x80\xa2   The FACT Act, which amends the Fair Credit Reporting Act, is intended to\n        protect consumers against the risks of identity theft and other types of consumer\n        fraud by requiring that \xe2\x80\x9cany person that maintains or otherwise possesses\n        consumer information, or any compilation of consumer information, derived from\n        consumer reports for a business purpose properly dispose of any such information\n        or compilation.\xe2\x80\x9d The Act directs the FDIC and other regulatory agencies to\n        promulgate rules regarding the proper disposal of consumer information.\n\nThe FDIC, in coordination with the other regulatory agencies, implemented its\nresponsibilities under GLBA and the FACT Act through the Interagency Guidelines\nEstablishing Information Security Standards (the Security Guidelines). 5 The Security\nGuidelines require that financial institutions implement a comprehensive information\nsecurity program that is designed, in general, to ensure the security, confidentiality, and\nproper disposal of customer and consumer information. A fundamental component of the\nsecurity program is the development of a written risk assessment that addresses risks to\nthe institution\xe2\x80\x99s customer and consumer information and the methods the institution uses\n\n4\n   In June 2005, it was reported that a security breach at a TSP exposed more than 40 million credit card\naccounts to potential fraud. In May 2007, it was reported that a financial services firm had discarded\ndocuments containing sensitive customer financial information in garbage bags outside of several of the\nfirm\xe2\x80\x99s branch locations.\n5\n   Appendix B of Part 364 and Subpart I of Part 334 of the FDIC\xe2\x80\x99s Rules and Regulations. The Security\nGuidelines, effective July 1, 2001, implement sections 501(b) and 505 of GLBA and were amended\neffective July 1, 2005 to reflect section 216 of the FACT Act. The Security Guidelines set forth standards\npursuant to section 39 of the Federal Deposit Insurance Act regarding, in general, safeguards to protect\ncustomer information.\n\n\n                                                     2\n\x0cto access, collect, store, use, transmit, protect, or dispose of such information. According\nto the Security Guidelines, financial institutions must take the following steps in\nassessing risk to their customer and consumer information:\n\n    \xe2\x80\xa2   identify reasonably foreseeable internal and external threats that could result in\n        unauthorized disclosure, misuse, alteration, or destruction of customer\n        information or consumer information systems; 6\n\n    \xe2\x80\xa2   assess the likelihood and potential damage of identified threats, taking into\n        consideration the sensitivity of customer information; and\n\n    \xe2\x80\xa2   assess the sufficiency of policies, procedures, customer information systems, and\n        other arrangements in place to control identified risks.\n\nThe Security Guidelines also state that financial institutions must address certain security\ncontrol areas when developing and implementing their information security programs.\nThree of these security control areas were the focus of our audit:\n\n    \xe2\x80\xa2   Oversight of Service Providers. Financial institutions shall (a) exercise\n        appropriate due diligence when selecting service providers; (b) require service\n        providers, by contract, to implement appropriate measures designed to meet the\n        objectives of the Security Guidelines; 7 and (c) where indicated by the institution\xe2\x80\x99s\n        risk assessment, monitor service providers to confirm that they have met their\n        obligations to satisfy objectives of the Security Guidelines.\n\n    \xe2\x80\xa2   Response Programs. Financial institutions must consider implementing a\n        response program (including customer notification procedures) that specifies\n        actions to be taken when unauthorized access to customer information systems is\n        suspected or detected, including appropriate reports to regulatory and law\n        enforcement agencies.\n\n    \xe2\x80\xa2   Disposal of Information. Financial institutions must develop, implement, and\n        maintain appropriate measures to properly dispose of customer and consumer\n        information. 8\n\nThe Security Guidelines recognize that when a financial institution enters into an\noutsourcing arrangement with a TSP, the institution continues to be responsible for the\nsecurity of any customer or consumer information handled by the TSP on behalf of the\ninstitution. According to the Security Guidelines, financial institutions are expected to\ncontractually require their service providers to implement appropriate measures designed\nto meet the objectives of the Security Guidelines.\n\n6\n  Any methods used to access, collect, store, transmit, protect, or dispose of customer information.\n7\n  By July 1, 2003, financial institutions were expected to include a requirement in all service provider\ncontracts to maintain the security and confidentiality of customer information.\n8\n  Financial institutions were expected to comply with the disposal provisions of the Security Guidelines by\nJuly 1, 2005 and to modify all affected service provider contracts by July 1, 2006.\n\n\n                                                     3\n\x0cFederal Oversight of TSPs\n\nThe Bank Service Company Act authorizes the FDIC, FRB, and OCC to examine the\noperations of third-party companies that provide services to financial institutions. 9 The\npurpose of conducting such examinations is to identify and assess risks, including risks to\nthe security of customer and consumer information, which may adversely affect the\nsafety and soundness of serviced financial institutions. The FFIEC has published a series\nof IT Booklets (see Figure 1), collectively referred to as the FFIEC IT Examination\nHandbook, that contain guidance and procedures to assist examiners in conducting\nexaminations of financial institutions and their TSPs. Examiners may tailor the procedures in\nthe booklets based on examiner\njudgment and relevant examination            Figure 1: IT Booklets That Comprise the\nfactors, such as the size and                           FFIEC IT Examination Handbook\ncomplexity of the TSP and the quality            1. Supervision of Technology Service\nof the TSP\xe2\x80\x99s risk assessment. For                    Providers\nexample, less work by examiners                  2. Business Continuity Planning\nwould be needed for a TSP that has               3. Audit\nthoroughly considered the risks to the           4. Development and Acquisition\nsecurity of its customer and consumer            5. Outsourcing Technology Services\ninformation as part of its risk                  6. Management\nassessment. Our audit assessed the               7. Operations\nFDIC\xe2\x80\x99s implementation of relevant                8. Information Security\nexamination procedures in IT                     9. E-Banking\nBooklets 1-8 because these eight IT              10. FedLine\nBooklets contain examination                     11. Retail Payment Systems\nprocedures related to the three                  12. Wholesale Payment Systems\nsecurity control areas covered by our\naudit.                                     Source: FFIEC.\n\nThe FDIC issued examination guidance in its April 5, 2005 Regional Director\nMemorandum entitled, Examination Procedures to Evaluate Response Programs for\nUnauthorized Access to Customer Information and Customer Notice. The FDIC also\nissued two Financial Institution Letters (FIL) 10 relevant to the scope of our audit: the\nFair and Accurate Credit Transaction Act of 2003 Guidelines Requiring the Proper\nDisposal of Consumer Information (dated February 2, 2005) and the Risk Management of\nTechnology Outsourcing (dated November 29, 2000). We considered the guidelines in\nthe memorandum and FILs in conducting our audit.\n\n\n\n\n9\n   Specifically, the bank regulator with jurisdiction over the principal investor of the bank service\ncorporation may examine that service corporation or may authorize other bank regulators that supervise any\nother member of the service corporation to conduct the examination. Moreover, the Examination Parity\nand Year 2000 Readiness for Financial Institutions Act authorizes the OTS to examine service providers.\nThe NCUA does not have statutory authority over service providers.\n10\n    The FDIC issues FILs to financial institutions to announce new regulations and policies, new FDIC\npublications, and other matters of interest to those responsible for operating a financial institution.\n\n\n                                                    4\n\x0cThe MDPS Program\n\nCertain TSPs, because of the high risk they pose to the financial services industry, are\nsubject to interagency examination under the FFIEC\xe2\x80\x99s MDPS program. According to the\nFFIEC, disruptions in services, as a result of financial or operational conditions, at one of\nthese TSPs pose systemic risk 11 to the banking system. The FFIEC considers a TSP for\nthe MDPS program when the TSP processes critical applications, such as general ledger\nor loan and deposit systems, for a large number of financial institutions with multiple\nfederal regulators or geographically dispersed data centers. As of June 25, 2007, there\nwere 16 TSPs in the MDPS program, which collectively provide mission-critical IT\nservices to the majority of the country\xe2\x80\x99s regulated financial institutions.\n\nThe FFIEC IT Subcommittee 12 has implemented a risk-based approach for determining\nthe frequency and scope of examination coverage of TSPs in the MDPS program.\nGenerally, TSPs in the MDPS program are subject to on-site examinations at least every\n2 years and more frequently when supervisory concerns exist. On-site examinations are\nsupplemented with interim reviews of material changes in TSP activities or condition.\nThe scope and frequency of interim reviews vary, depending on the degree of change at\nthe TSP, but are generally conducted at least once between on-site examinations. The\nFFIEC IT Subcommittee designates an Agency-in-Charge for each TSP in the MDPS\nprogram to coordinate examination activities. As of June 25, 2007, the FDIC was the\nAgency-in-Charge for 8 of the 16 TSPs in the MDPS program. The Agency-in-Charge is\nresponsible for preparing key examination products, such as the scoping memorandum\nand Report of Examination (ROE). The scoping memorandum contains the TSP\xe2\x80\x99s\ncorporate history, data centers included in the examination, examination schedule, and\nresource requirements. The ROE contains relevant examination findings, conclusions,\nand management comments and includes an IT examination rating reflecting the overall\nlevel of supervisory attention warranted for the TSP. 13\n\nFDIC\xe2\x80\x99s Oversight of TSPs in the MDPS Program\n\nWithin the FDIC, the Division of Supervision and Consumer Protection (DSC) has\nprimary responsibility for examinations of TSPs in the MDPS program. In this capacity,\nDSC has taken a number of proactive measures. Of particular note, DSC hosted\nconferences in March 2006 and February 2007 with representatives of other FFIEC\nagencies to discuss issues, trends, and supervisory strategies related to TSPs in the MDPS\nprogram. DSC also implemented the Technology Service Provider Event and Reporting\nProgram in June 2007 to assist FDIC examiners in analyzing pertinent financial,\n\n11\n   Systemic risk can occur when one participant fails to meet its obligations, causing other participants to\nfail to meet their obligations. Such a chain reaction can threaten the stability of financial markets.\n12\n   The IT Subcommittee, which is a standing committee of the FFIEC Task Force on Supervision, serves as\na forum to address information systems and technology issues as they relate to financial institutions in\norder to promote quality, consistency, and effectiveness in examination practices.\n13\n   Examiners use the FFIEC\xe2\x80\x99s Uniform Ratings System for Information Technology to assess and rate\nIT-related risks at TSPs. Ratings are based on a scale of 1 through 5 in ascending order of supervisory\nconcern, with 1 representing the highest rating and least degree of supervisory concern and 5 representing\nthe lowest rating and highest degree of supervisory concern.\n\n\n                                                     5\n\x0ctechnical, and operational information pertaining to TSPs in the MDPS program. In\naddition, DSC continues to provide financial institutions with relevant information\nregarding the protection of customer and consumer information processed by TSPs\nthrough FILs, outreach initiatives (including conferences and speaking engagements),\nand the FDIC\xe2\x80\x99s public Web site.\n\n\nRESULTS OF AUDIT\n\nThe FDIC has taken a number of proactive steps in its oversight of TSPs in the MDPS\nprogram. During our audit, the FDIC hosted the 2007 FFIEC MDPS Supervisory\nStrategy Meeting, enhanced its monitoring of TSPs in the MDPS program, and conducted\na number of outreach initiatives. Importantly, FDIC examiners use FFIEC and FDIC\nexamination guidance when assessing security controls related to the protection of\ncustomer and consumer information at TSPs in the MDPS program. Additionally, as part\nof each examination, the examiners considered the risk assessment for security controls\nprepared by the TSP in response to the Security Guidelines. However, the risk\nassessments for the three TSPs we reviewed generally did not address the three security\ncontrol areas (oversight of TSP third-party service providers, incident response programs,\nand the disposal of information) covered by our audit, and examination documentation\nwe reviewed generally did not contain conclusions on security risks in these control\nareas. As a result, we were unable to determine whether related examination procedures\nperformed at the three TSPs we reviewed were commensurate with the risk of\nunauthorized access to customer and consumer information.\n\nProviding conclusions in FDIC examination documentation on the risks for key security\ncontrol areas related to the protection of customer and consumer information would\npromote consistency in security control assessments performed by the FDIC\xe2\x80\x99s regional\noffices for TSPs in the MDPS program. Such information would also be valuable to\nexaminers when they assume examination responsibilities for TSPs in the MDPS\nprogram, such as when examination responsibilities transition from one regulator to\nanother. In addition, enhanced linking of examination procedures with identified security\nrisks would provide DSC greater assurance that customer and consumer information\nprocessed by TSPs in the MDPS program is protected consistent with the statutory and\nregulatory requirements intended to safeguard such information.\n\n\nASSESSING SECURITY RISKS RELATED TO THE PROTECTION OF\nCUSTOMER AND CONSUMER INFORMATION\n\nThe FFIEC IT Examination Handbook states that examiners should evaluate the degree\nof risk and the quality of risk management as part of each TSP examination. This\ninvolves, among other things, reviewing the TSP\xe2\x80\x99s internally-prepared risk assessment to\nevaluate the organization\xe2\x80\x99s practices for identifying, measuring, controlling, and\nmonitoring security risks. Evaluating TSP risk assessments helps examiners focus\nexamination resources on the TSP control areas that present the greatest risk. For the\n\n\n                                            6\n\x0cthree TSPs we sampled, we noted that examiners were evaluating the adequacy of TSP-\nprepared risk assessments. However, neither the TSP-prepared risk assessments nor the\nexamination documentation (e.g., working papers, ROEs, and scoping memoranda)\nadequately described the security risks in the three control areas covered by our audit. In\naddition, the scope of examination procedures performed in these three control areas\nvaried significantly among the TSPs we reviewed. As a result, we were unable to\ndetermine whether the examination procedures performed in these three control areas\nwere commensurate with the associated security risks.\n\nThe following sections describe the varying degree of examination coverage related to\nthe oversight of service providers, response programs, and the disposal of information.\n\nOversight of Service Providers. The           Figure 2: Examination Objectives for Evaluating\nFFIEC\xe2\x80\x99s Outsourcing Technology Services       the Oversight of Service Providers\nIT Booklet defines four fundamental control\n                                                \xe2\x99\xa6 Risk Assessment and Requirements:\nareas associated with the outsourcing of IT        Evaluate the quantity of risk present from\nservices by financial institutions or TSPs:        the outsourcing arrangement and the quality\nRisk Assessment and Requirements, Service          of risk management.\nProvider Selection, Contract Issues, and        \xe2\x99\xa6 Service Provider Selection: Evaluate the\nOngoing Monitoring. The IT Booklet                 service provider selection process.\ncontains examination guidance, objectives,      \xe2\x99\xa6 Contract Issues: Evaluate the process for\nand procedures to assist examiners in              entering into a contract with the service\nassessing risks (including security risks) in      provider.\n                                                \xe2\x99\xa6 Ongoing Monitoring: Evaluate the process\neach of the four IT outsourcing control\n                                                   for monitoring the risk presented by the\nareas. Figure 2 summarizes the examination         service provider relationship. Review the\nobjectives associated with each IT                 policies regarding periodic ranking of\noutsourcing control area as described in the       service providers by risk for decisions\nOutsourcing Technology Services IT                 regarding the intensity of monitoring\nBooklet. In addition, the FFIEC\xe2\x80\x99s                  (i.e., risk assessment).\nInformation Security IT Booklet contains\nguidance and examination procedures for        Source: OIG Analysis of the FFIEC\xe2\x80\x99s\n                                               Outsourcing Technology Services IT Booklet.\nevaluating security controls associated with\nthe oversight of service providers.\n\nAlthough examiners considered each of the four IT outsourcing control areas in Figure 2\nwhen examining TSPs in the MDPS program, the scope of examination procedures\nperformed in these areas to assess security risks varied significantly. For example, with\nrespect to Risk Assessment and Requirements, examination working papers for two of the\nthree TSPs we reviewed did not include procedures to determine whether the TSP had\nidentified all of its service providers with access to customer and consumer information.\nIdentifying service providers with access to customer and consumer information is a\ncritical step in determining whether the service providers\xe2\x80\x99 security controls are consistent\nwith the principles of the Security Guidelines. Regarding Contract Issues, examination\nworking papers for two of the three TSPs did not contain procedures to assess the\nadequacy of security requirements in service provider contracts. In addition, examination\n\n\n\n\n                                             7\n\x0cworking papers for one of the three TSPs did not contain procedures to assess security in\nthe areas of Service Provider Selection or Ongoing Monitoring.\n\nResponse Programs. In March 2005,             Figure 3: Components of a Response Program\nthe FDIC, in coordination with the other\nFFIEC agencies, issued supplemental             1. Assessing the nature and scope of the\n                                                    incident and identifying the systems and\nguidance regarding GLBA and the Security\n                                                    types of information that have been\nGuidelines 14 by describing five minimum            accessed.\ncomponents of a response program that           2. Taking appropriate steps to contain and\nfinancial institutions should develop and           control the incident.\nimplement to address incidents of               3. Notifying the institution\xe2\x80\x99s primary\nunauthorized access to sensitive customer           federal regulator.\ninformation (see Figure 3). The Security        4. Notifying appropriate law enforcement\nGuidelines state that financial institutions        authorities if a Suspicious Activity\nmust require their service providers, by            Report is filed.\ncontract, to implement appropriate security     5.  Notifying  customers, when warranted.\nmeasures for responding to incidents of\n                                               Source: The Security Guidelines.\nunauthorized access to customer information.\nIn addition, DSC\xe2\x80\x99s April 5, 2005 memorandum entitled, Examination Procedures to\nEvaluate Response Programs for Unauthorized Access to Customer Information and\nCustomer Notice, contains procedures to assist FDIC examiners in evaluating and\ndocumenting the five components of a response program.\n\nAlthough examiners performed procedures to address all five components of a response\nprogram at two of the three TSPs we reviewed, examiners did not perform examination\nprocedures to address two of the five response program components at the remaining\nTSP. Specifically, examiners did not perform procedures to determine whether the TSP\nhad adequate controls in place for notifying federal regulators of incidents involving\nunauthorized access to, or use of, customer information. In addition, examiners did not\nperform procedures to fully assess the role and responsibilities of a key TSP contractor\ninvolved in assessing, containing, and controlling security incidents.\n\nDisposal of Information. The Security Guidelines direct financial institutions to require\ntheir service providers, by contract, to implement appropriate measures to protect against\nunauthorized access to, or use of, customer information that could result in substantial\nharm or inconvenience to customers. Such measures include developing, implementing,\nand maintaining appropriate controls for disposing of customer and consumer\ninformation processed on behalf of financial institutions. Examples of \xe2\x80\x9creasonable\nmeasures\xe2\x80\x9d that organizations and individuals can take when disposing of consumer\ninformation are provided in the Federal Trade Commission\xe2\x80\x99s regulation, Disposal of\n\n\n\n\n14\n  The FDIC\xe2\x80\x99s version of the supplemental guidance appears as Supplement A, Interagency Guidance on\nResponse Programs for Unauthorized Access to Customer Information and Customer Notice, to\nAppendix B of Part 364.\n\n\n                                                 8\n\x0cConsumer Report Information and Records (the Disposal Rule). 15 In addition, the\nFFIEC\xe2\x80\x99s Business Continuity Planning, Information Security, and Operations IT\nBooklets contain examination guidance and procedures for assessing security controls\nrelated to the disposal of information. The FFIEC examination guidance and procedures\ncan be divided into three areas: (1) assessing disposal risks; (2) reviewing and evaluating\nthe sufficiency of security policies and standards related to disposal; and (3) determining\nwhether disposal controls and processes are appropriately implemented.\n\nAlthough examiners conducted procedures to review and evaluate security policies and\nstandards related to the disposal of information at all three of the TSPs we reviewed,\nprocedures for assessing the implementation of those policies and standards varied. At\none of the TSPs, the internal audit department conducted extensive work on an outside\ndisposal firm engaged by the TSP to destroy information, 16 and the examiners included\nthe review results in the examination working papers. Although the remaining two TSPs\nhad also engaged outside disposal firms, the internal audit department at those two TSPs\ndid not perform comprehensive procedures, and the examiners did not assess key controls\nrelated to TSP disposal operations. In addition, examination working papers for two of\nthe three TSPs did not include procedures to assess disposal risks associated with known\nsecurity vulnerabilities, such as inadequate controls over sensitive records and a lack of\nencryption for data stored on back-up tapes, laptop computers, and personal digital\nassistants.\n\nHow the FDIC Can Achieve Greater Assurance That Conclusions on Risks for Key\nSecurity Control Areas Are Included in Examination Documentation\n\nThe FFIEC\xe2\x80\x99s Supervision of Technology Service Providers IT Booklet states that\nexamination working papers must provide sufficient documentation for a reviewer to\nunderstand what work was done, why it was done, and how conclusions were reached.\nHowever, FFIEC and FDIC examination guidance does not describe how conclusions on\nsecurity risks related to the protection of customer and consumer information should be\nrecorded in the examination documentation. FDIC examination staff that we spoke with\nindicated that requiring FDIC examiners to include information in the examination\ndocumentation regarding their conclusions on risks for key security control areas would\nbe beneficial. Examiners noted that such information would promote consistency in TSP\nsecurity control assessments among the FDIC\xe2\x80\x99s regional offices. Examiners also noted\nthat such information would be valuable to examiners when they assume examination\nresponsibilities for TSPs in the MDPS program, such as when examination\nresponsibilities transition from one regulator to another. In addition, through enhanced\n\n15\n   16 Code of Federal Regulations (C.F.R.) Part 682. Such measures include, for example, conducting due\ndiligence of prospective disposal firms by reviewing an independent audit of the disposal company\xe2\x80\x99s\noperations and/or its compliance with the Disposal Rule, requiring that the disposal company be certified\nby a recognized trade association or similar third party, reviewing and evaluating the disposal company\xe2\x80\x99s\ninformation security policies or procedures, or taking other appropriate measures to determine the\ncompetency and integrity of the disposal company. The Disposal Rule became effective June 1, 2005.\n16\n   The work included, but was not limited to, (a) confirming that shredder bins were locked; (b) inquiring\nwhether the disposal firm had been certified by the National Association for Information Destruction, Inc.;\nand (c) obtaining representations that disposals were supervised and that destruction logs were maintained.\n\n\n                                                     9\n\x0clinking of examination procedures performed with identified security risks, DSC would\nhave greater assurance that customer and consumer information processed by TSPs in the\nMDPS program is protected consistent with statutory and regulatory requirements that\nare intended to safeguard such information.\n\nDSC can further strengthen its oversight of TSPs in the MDPS program by subjecting\nunderlying FDIC examination documentation, including working papers, to a periodic\nquality assurance review. DSC has already established and implemented a formal quality\nassurance program to promote consistency and quality in its risk-management,\ncompliance, and IT examination processes. However, DSC has not yet conducted a\nquality assurance review of FDIC examination working papers related to TSPs in the\nMDPS program. Such quality assurance reviews would provide DSC with greater\nassurance that examination documentation adequately addresses risk determinations for\nkey security control areas related to the protection of consumer and customer\ninformation, procedures are performed commensurate with identified risk, and\nexamination processes are consistently applied across FDIC regions.\n\nRecommendations\n\nWe recommend that the Director, DSC:\n\n(1) Provide conclusions on the risks for key security control areas in FDIC examination\n    documentation for examinations of TSPs in the MDPS program in order to provide\n    greater assurance that examination procedures performed are commensurate with\n    identified risks.\n\n(2) Conduct periodic quality assurance reviews of examination documentation prepared\n    by FDIC examiners under the MDPS program to achieve greater assurance that\n    MDPS examination documentation contains risk determinations for key security\n    control areas, procedures performed are commensurate with identified risk, and\n    examination processes are consistently applied across FDIC regions.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn November 21, 2007, the Director, DSC, provided a written response to a draft of this\nreport. DSC\xe2\x80\x99s response is presented in its entirety as Appendix IV to this report. DSC\nagreed with both recommendations, noting that it has begun incorporating quality\nassurance reviews of documentation prepared by FDIC examiners for examinations of\nTSPs in the MDPS program where the FDIC is the Agency-in-Charge. Further, DSC\nagreed to emphasize the importance of documenting adequate conclusions for key\nsecurity control areas.\n\nDSC\xe2\x80\x99s actions are responsive to our recommendations. A summary of management\xe2\x80\x99s\nresponse to the recommendations is in Appendix V. The recommendations are resolved\nbut will remain open until we have determined that agreed-to corrective actions have\nbeen completed and are effective.\n\n                                           10\n\x0c                                                                           APPENDIX I\n\n\n                   OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of the audit was to assess the FDIC's implementation of FFIEC and FDIC\nexamination guidance for selected controls related to the protection of customer and\nconsumer information at TSPs in the MDPS program. We conducted this performance\naudit from December 2006 through July 2007 in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective.\n\nScope, Methodology, and Internal Controls\n\nThe audit focused on the implementation of FFIEC and FDIC examination guidance in\nthe following three security control areas relative to customer and consumer information\nprocessed by TSPs in the MDPS program on behalf of FDIC-insured financial\ninstitutions:\n\n   \xe2\x80\xa2   the oversight of TSP agreements with third-party service providers that maintain\n       customer and consumer information;\n\n   \xe2\x80\xa2   response programs for addressing security incidents involving customer and\n       customer information; and\n\n   \xe2\x80\xa2   the disposal of customer and consumer information.\n\nWe selected these three security control areas for review because of recent media,\nregulatory, and industry attention.\n\nTo obtain an understanding of FFIEC examination guidance in the three security control\nareas, we reviewed relevant IT Booklets in the FFIEC IT Examination Handbook,\nparticularly, the Supervision of Technology Service Providers and Information Security\nIT booklets. We also reviewed relevant FDIC examination guidance contained in DSC\xe2\x80\x99s\nApril 5, 2005 Regional Director Memorandum entitled, Examination Procedures to\nEvaluate Response Programs for Unauthorized Access to Customer Information and\nCustomer Notice. In addition, we reviewed relevant FILs, including Fair and Accurate\nCredit Transactions Act of 2003 Guidelines Requiring the Proper Disposal of Consumer\nInformation (dated February 2, 2005) and Risk Management of Technology Outsourcing\n(dated November 29, 2000). Further, we reviewed relevant information posted on the\nFDIC\xe2\x80\x99s internal and public Web sites. To obtain an understanding of the FDIC\xe2\x80\x99s\nsupervisory oversight of TSPs in the MDPS program, we interviewed DSC Technology\nService Branch personnel who had responsibility for establishing and maintaining the\nFDIC\xe2\x80\x99s IT examination policies, procedures, and guidance and for coordinating with\nrepresentatives of the FFIEC IT Subcommittee. Additionally, we interviewed DSC\n\n                                            11\n\x0c                                                                                      APPENDIX I\n\nregional office personnel to obtain an understanding of MDPS examination strategies,\nstaffing, and practices.\n\nWe assessed the FDIC\xe2\x80\x99s implementation of FFIEC and FDIC examination guidance by\nselecting a non-statistical sample 17 of three TSPs in the MDPS program for which the\nFDIC was the Agency-in-Charge. Each TSP was under the supervisory oversight of a\ndifferent DSC regional office. One of the three TSP examinations we reviewed\nprocessed $1.5 trillion in payments daily, another TSP provided information processing\nfor over 500 clients, and the third TSP serviced over 4 million merchant locations. For\neach TSP, we conducted a detailed review of the examination documentation, including\nthe underlying working papers and key examination products, such as the scoping\nmemorandums and ROEs. Additionally, we spoke with the Examiners-in-Charge and\nother key FDIC examination staff regarding their examination approach for addressing\nthe three security control areas covered by our audit. Further, we spoke with\nrepresentatives of the U.S. Government Accountability Office regarding security control\nwork it had conducted at one of the TSPs in our review.\n\nWe did not speak with examination staff at other federal banking regulators who had\nperformed examination work on the three TSPs we reviewed. In addition, we did not\nvisit any TSP offices or speak with TSP representatives. We conducted our audit work at\nthe FDIC\xe2\x80\x99s Headquarters offices in Washington, D.C.; the Dallas Regional Office in\nDallas, Texas; the Kansas City Regional Office in Kansas City, Missouri; and the New\nYork Regional Office in Manhattan, New York.\n\nReliance on Computer-based Data\n\nWe did not assess the reliability of the FFIEC\xe2\x80\x99s computer-based data or the FDIC\xe2\x80\x99s\nVirtual Supervisory Information On the Net system (ViSION) 18 information because the\ndata were not significant to our findings, conclusions, or recommendations.\n\nCompliance with Laws and Regulations\n\nWe evaluated whether IT examination procedures to assess selected controls related to\nthe protection of customer and consumer information at TSPs in the MDPS program were\nadequate to address relevant provisions of GLBA, the FACT Act, and the Security\nGuidelines. We used certain other federal regulations, such as the Federal Trade\nCommission\xe2\x80\x99s Standards for Safeguarding Customer Information and Disposal of\nConsumer Report Information and Records (16 C.F.R. Parts 314 and 682, respectively),\nas supplemental criteria. Our assessment was limited to the three security control areas\ncovered by our audit (i.e., the oversight of TSP third-party service providers, incident\nresponse programs, and the disposal of information). Accordingly, our assessment did\n\n17\n   The results of a non-statistical sample cannot be projected to the intended population by standard\nstatistical methods.\n18\n   ViSION is a bank-supervision tracking and reporting database. DSC refers to ViSION as an\n\xe2\x80\x9cinformation workstation\xe2\x80\x9d \xe2\x80\x93 a programmed means of handling all the computerized data needed to properly\nsupervise an institution throughout its organizational life.\n\n\n                                                  12\n\x0c                                                                                APPENDIX I\n\nnot generally include the FDIC\xe2\x80\x99s regulations at Part 332, Privacy of Consumer Financial\nInformation, which implements GLBA\xe2\x80\x99s provisions regarding privacy notices and related\ndisclosures with respect to customers and consumers, except where definitions in\nPart 332 were referred to or incorporated in the Security Guidelines. See Appendix II for\nadditional information on relevant laws and regulations, including their legal effect on the\nFDIC.\n\nGovernment Performance and Results Act\n\nWe reviewed the FDIC\xe2\x80\x99s Strategic Plan for 2005-2010 and the FDIC 2007 Annual\nPerformance Plan. Neither of these plans contained a strategic goal or objective\nspecifically related to examinations of TSPs in the MDPS program. We also reviewed\nthe FDIC\xe2\x80\x99s 2007 Corporate Performance Objectives (CPO) and determined that it did not\ncontain a specific CPO related to our audit objectives. However, the first quarter CPO\nperformance summary stated that a separate effort was underway to assess the potential\nrisk associated with outsourcing to third-party TSPs, with a focus on TSPs based in\nforeign countries. According to the performance summary, the FDIC has developed a\ntool to collect data on a quarterly basis from FDIC-supervised institutions on their use of\nsuch TSPs.\n\nFraud and Illegal Acts\n\nThe nature of our audit objective did not require that we develop specific audit\nprocedures to detect fraud and illegal acts. However, throughout the audit, we were\nsensitive to the potential for fraud and illegal acts, and no indications of fraud or illegal\nacts came to our attention.\n\nPrior Coverage\n\nThis audit is the third in a series of audits designed to assess the FDIC\xe2\x80\x99s examination\ncoverage of TSPs and related efforts to protect customer and consumer information. The\nfirst audit, FDIC\xe2\x80\x99s Oversight of Technology Service Providers (OIG Audit Report\nNo. 06-015, dated July 2006), focused on the FDIC\xe2\x80\x99s efforts to identify, monitor, and\nprioritize examination coverage of TSPs. The second audit, Information Technology\nExamination Coverage of Financial Institutions\xe2\x80\x99 Oversight of Technology Service\nProviders (OIG Audit Report No. 07-005, dated February 2007), focused on examination\nprocedures related to the security of customer information managed by TSPs. We\nconsidered the results of these prior audits when planning and conducting our current\naudit work.\n\n\n\n\n                                              13\n\x0c                                                                               APPENDIX II\n\n\n               LAWS, REGULATIONS, POLICY, AND GUIDANCE\n\nLaws                               Provisions\nGramm-Leach-Bliley Act (GLBA)      Title V of the Act contains provisions to protect nonpublic personal\n                                   information of financial institution customers. It is congressional\n                                   policy that each financial institution has an obligation to respect the\n                                   privacy of its customers and to protect the security and\n                                   confidentiality of those customers\xe2\x80\x99 nonpublic personal information.\n                                   Each agency (including the FDIC) or authority should establish\n                                   appropriate standards for financial institutions relating to\n                                   administrative, technical, and physical safeguards: (1) to ensure the\n                                   security and confidentiality of customer records and information;\n                                   (2) to protect against any anticipated threats or hazards to the\n                                   security or integrity of such records; and (3) to protect against\n                                   unauthorized access to or use of such records or information that\n                                   could result in substantial harm or inconvenience to any customer.\n\nBank Service Company Act           A bank service company shall be subject to examination and\n                                   regulation by the appropriate federal banking agency of its principal\n                                   investor to the same extent as its principal investor. The Act\n                                   requires insured financial institutions to notify their appropriate\n                                   federal banking agency, in writing, of contracts or relationships with\n                                   third parties that provide certain services to the institution. The\n                                   depository institution shall notify such agency of the existence of the\n                                   service relationship within 30 days after making the service contract\n                                   or the performance of the service, whichever occurs first.\n\nFair Credit Reporting Act          This statute regulates the collection, dissemination, and use of\n(FCRA)                             consumer credit information.\n\nFair and Accurate Credit           This statute, which amends FCRA, requires federal regulators,\nTransactions Act of 2003           including the FDIC, to issue regulations in a number of areas,\n(FACT Act)                         including regulations on the disposal of consumer information\n                                   (section 216).\n\nFederal Deposit Insurance Act,     This provision requires the federal banking agencies to prescribe\nsection 39                         standards for financial institutions in a number of areas, as well as\n                                   operational and managerial standards as deemed appropriate.\n\n\nRules & Regulations\n12 C.F.R. Part 334, Subpart I -    These FDIC regulations require institutions to properly dispose of\nDuties of Users of Consumer        any consumer information in accordance with the Security\nReports Regarding Identity Theft   Guidelines.\n\n\n\n\n                                            14\n\x0c                                                                                        APPENDIX II\n\n12 C.F.R. Part 364, Standards for         These are the FDIC\xe2\x80\x99s version of interagency guidelines which,\nSafety and Soundness, Appendix B,         among other things, address the proper disposal of consumer\nInteragency Guidelines Establishing       information requirements pursuant to section 628 of the FCRA and\nInformation Security Standards 19         apply to all insured state nonmember banks, insured state licensed\n                                          branches of foreign banks, and any subsidiaries of such entities\nAppendix B, Supplement A,                 (except brokers, dealers, persons providing insurance, investment\nInteragency Guidance on Response          companies, and investment advisers). Supplement A provides\nPrograms for Unauthorized Access          guidance for institutions regarding response plans, including\nto Customer Information and               customer notification procedures.\nCustomer Notice\n\n16 C.F.R. Part 314, Federal Trade         The Safeguards Rule sets forth standards for developing,\nCommission (FTC) \xe2\x80\x93 Standards for          implementing, and maintaining reasonable administrative, technical,\nSafeguarding Customer Information         and physical safeguards to protect the security, confidentiality, and\n(Safeguards Rule)                         integrity of customer information. The rule applies to the handling\n                                          of customer information by all financial institutions over which the\n                                          FTC has jurisdiction. Financial institutions subject to this rule must\n                                          also require their service providers, by contract, to implement and\n                                          maintain the safeguards discussed in this rule.\n\n16 C.F.R. Part 682, FTC \xe2\x80\x93 Disposal        The Disposal Rule requires any person who maintains or otherwise\nof Consumer Report Information            possesses consumer information for a business purpose to properly\nand Records (Disposal Rule)               dispose of such information by taking reasonable measures to\n                                          protect against unauthorized access to, or use of, the information in\n                                          connection with its disposal. The rule provides several examples of\n                                          reasonable measures, which include incorporating the proper\n                                          disposal of consumer information into the information security\n                                          program required by the FTC Safeguards Rule.\n\nGuidance\nFIL 81-2000, Risk Management of           The FIL provides joint guidance from the FFIEC regulators on\nTechnology Outsourcing                    managing the risk exposure an institution faces when it uses outside\n                                          firms for technology. Specifically, the regulators issued guidance on\n                                          key management issues involved in outsourcing technology,\n                                          including risk assessment, service provider selection, contract terms,\n                                          and oversight of outsourcing arrangements.\n\nFIL-68-2001, 501(b), Examination          Examination procedures described in the guidance are derived from\nGuidance                                  the Interagency Guidelines Establishing Standards for Safeguarding\n                                          Customer Information and are intended to assist examiners in\n                                          assessing the level of compliance with the guidelines.\n\nFIL 7-2005, Guidelines Requiring          The bank and thrift regulatory agencies issued joint final guidelines\nthe Proper Disposal of Consumer           to implement section 216 of the FACT Act. Section 216 is designed\nInformation.                              to protect consumers against the risks associated with identity theft\n                                          and other types of fraud. This final rule amended Interagency\n                                          Guidelines Establishing Standards for Safeguarding Customer\n\n19\n   These Standards were revised effective July 1, 2005 and were re-titled, Interagency Guidelines\nEstablishing Standards for Safeguarding Customer Information.\n\n\n                                                    15\n\x0c                                                                              APPENDIX II\n\n                                   Information to require proper disposal of consumer information.\n                                   This rule also requires financial institutions to modify any affected\n                                   contracts with service providers no later than July 1, 2006.\n\nFIL-27-2005, Guidance on           The FFIEC agencies jointly issued guidance for financial institutions\nResponse Programs for              to develop and implement a response program designed to address\nUnauthorized Access to Customer    incidents of unauthorized access to sensitive customer information\nInformation and Customer Notice    maintained by the financial institution or its service provider. The\n                                   guidance is an interpretation of section 501(b) of GLBA and the\n                                   Interagency Guidelines Establishing Information Security\n                                   Standards.\n\nRegional Directors Memoranda\nRD-90-116, Problem Electronic      Contains instructions for the supervision of a problem electronic\nData Processing Centers            data processing center. A problem center is any servicer that has\n                                   been assigned a composite \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d rating under the Uniform\n                                   Interagency Rating System for Data Processing Operations.\n\nRD-93-086, EDP Examinations of     Provides guidance on scheduling an interagency examination of data\nNon-Financial Institution Data     centers operated by independent servicers, bank service\nCenters                            corporations, or financial institution holding companies. Data\n                                   centers included in the MDPS program are administered by the\n                                   Electronic Data Processing (EDP) Subcommittee of the FFIEC\xe2\x80\x99s\n                                   Task Force on Supervision.\n\nRD-95-013, Enhanced Supervision    Details the Enhanced Supervisory Program for MDPSs, which has\nProgram for MDPSs                  been approved by the FFIEC Task Force on Supervision.\n\n\nRD-00-026, Examination of          Supplements the EDP Interagency Examination, Scheduling, and\nNational Data Processing           Distribution Policy (Supervisory Policies, SP-1 and SP-11) and\nCompanies                          provides for coordination, standardization, and unification needed\n                                   for the examination of MDPSs.\n\nRD-00-032, Scheduling of           Establishes a centralized listing of data center examinations that may\nInformation Systems Examinations   require participation by other regions.\n\nRD-01-032, Examination             Provides examination procedures to determine compliance with the\nProcedures to Evaluate Customer    Interagency Guidelines Establishing Standards for Safeguarding\nInformation Safeguards             Customer Information (Appendix B to Part 364 of the FDIC Rules\n                                   and Regulations) that were mandated by Section 501(b) of the\n                                   GLBA to address standards for financial institutions in the\n                                   development and implementation of administrative, technical, and\n                                   physical safeguards to protect the security, confidentiality, and\n                                   integrity of customer records and information.\n\nRD-01-039, Guidelines for          Provides guidelines on preparing examination workpapers.\nExamination Workpapers and         Examination findings should be documented through a combination\nDiscretionary Use of Examination   of brief summaries, bank source documents, report comments, and\nDocumentation Modules              other papers that address management practices and conditions.\n\n\n                                            16\n\x0c                                                                              APPENDIX II\n\n                                    Documentation should provide written support for examination and\n                                    verification procedures performed and conclusions reached.\n\nRD-04-002, Establishing Standards   Provides guidance on reporting the results of evaluating a financial\nfor Safeguarding Customer           institution\xe2\x80\x99s compliance with the Interagency Guidelines\nInformation                         Establishing Standards for Safeguarding Customer Information.\n\nRD-04-055, Fair and Accurate        Explains the effective dates of the provisions in the Fair and\nCredit Transactions Act of 2003-    Accurate Credit Transactions Act of 2003 and provides guidance\nEffective Dates                     regarding the impact of these dates on compliance and IT\n                                    examination programs.\n\nRD-05-012, Examination              Details examination procedures to determine compliance with the\nProcedures to Evaluate Response     Interagency Guidance on Response Programs for Unauthorized\nPrograms for Unauthorized Access    Access to Customer Information and Customer Notice.\nto Customer Information and\nCustomer Notice\n\nRD-04-059, Information              Contains an update to the IT examination documentation\nTechnology Examination Quality      requirements.\nControl\n\nRD-06-013, IT \xe2\x80\x93 Risk-Based          Announces the Risk-Based Examination Priority Ranking Program\nExamination Priority Ranking        procedures for all TSPs, including providers in the MDPS program.\nProgram\n\n\n\n\n                                             17\n\x0c                                                                                        APPENDIX III\n\n\n                                        GLOSSARY OF TERMS\n\n           Term                                                 Definition\n\nConsumer                 An individual or the legal representative of such an individual who obtains, from a\n                         financial institution, financial products or services that are to be used primarily for\n                         personal, family, or household purposes.\n\nCustomer                 With respect to a financial institution, any person (or authorized representative of a\n                         person) to whom the financial institution provides a product or service, including\n                         that of acting as a fiduciary.\n\nConsumer Information Any record about an individual, whether in paper, electronic, or other form.\n\nConsumer Information Any methods used to access, collect, store, transmit, protect, or dispose of customer\nSystems              information.\n\nCustomer Information     Any information maintained by or for a financial institution that is derived from the\n                         relationship between the financial institution and a customer of the financial\n                         institution and is identified with the customer.\n\nData Breach              Generally refers to an organization\xe2\x80\x99s unauthorized or unintentional exposure,\n                         disclosure, or loss of sensitive personal information, which can include personally\n                         identifiable information such as Social Security numbers or financial information\n                         such as credit card numbers. Data breaches can take many forms and do not\n                         necessarily lead to identity theft.\n\nDisposal                 The act of discarding media with no other sanitization considerations. This is done\n                         by paper recycling containing non-confidential information but may also include\n                         other media. Disposal also includes the discarding or abandonment of consumer\n                         information or the sale, donation, or transfer of any medium, including computer\n                         equipment, upon which consumer information is stored.\n\nEncryption               A process that scrambles the contents of a message or file to make it unintelligible\n                         to anyone who is not authorized to read it.\n\nIdentity Theft           Identity theft is broad and encompasses many types of criminal activities, including\n                         fraud on existing accounts\xe2\x80\x94such as unauthorized use of a stolen credit card\n                         number\xe2\x80\x94or fraudulent creation of new accounts\xe2\x80\x94such as using stolen data to open\n                         a credit card account in someone else\xe2\x80\x99s name. Depending on the type of\n                         information compromised and how it is misused, identity theft victims can face a\n                         range of potential harm, from the inconvenience of having a credit card reissued to\n                         substantial financial losses and damaged credit ratings.\n\nIncident                 An incident can be a violation or imminent threat of violation of computer security\n                         policies, acceptable use policies, or standard security practices. Incidents include\n                         denial of service, malicious code, unauthorized access, and inappropriate usage.\n\n\n\n\n                                                      18\n\x0c                                                                                      APPENDIX III\n\n\nIncident Notification   When a financial institution becomes aware of an incident of unauthorized access\n                        to sensitive customer information, the institution should conduct a reasonable\n                        investigation to promptly determine the likelihood that the information has been or\n                        will be misused. If the institution determines that misuse of its information about a\n                        customer has occurred or is reasonably possible, the institution should notify the\n                        affected customer as soon as possible. Customer notice may be delayed if an\n                        appropriate law enforcement agency determines that notification will interfere with\n                        a criminal investigation and provides the institution with a written request for the\n                        delay. Customer notification should be delivered in any manner designed to ensure\n                        that a customer can reasonably be expected to receive it, such as by telephone,\n                        regular mail, or electronic mail (for those customers for whom it has a valid e-mail\n                        address) and who have agreed to receive communications electronically.\n\nMedia                   Media take different forms, such as printouts of data, screenshot captures, or cached\n                        memory of users\xe2\x80\x99 activities.\n\nMulti-regional Data     A TSP qualifies for the MDPS program when the TSP processes critical\nProcessing Servicer     applications, such as general ledger or loan and deposit systems, for a large number\n(MDPS)                  of financial institutions with multiple federal regulators or geographically dispersed\n                        data centers.\n\nNonpublic Personal      Nonpublic personal information means: (1) personally identifiable financial\nInformation             information; and (2) any list, description, or other grouping of consumers (and\n                        publicly available information pertaining to them) that is derived using any\n                        personally identifiable financial information that is not publicly available.\n\nReport of Examination The ROE is the joint property of the FFIEC member agencies and contains two\n(ROE)                 sections. The open section contains an assessment of major risks to the financial\n                      institutions serviced by the MDPS, recommendations for reducing or managing\n                      those risks, and management\xe2\x80\x99s responses to the findings and recommendations.\n                      The MDPS\xe2\x80\x99s directors sign and date the Directors\xe2\x80\x99 Signature Page as certification\n                      that they have reviewed the ROE. The open section is furnished to the MDPS. The\n                      Uniform Rating System for Information Technology -- or IT examination rating --\n                      included in the administrative section is available only to supervisory agencies.\n\nResponse Program        Response programs specify actions to be taken when a financial institution suspects\n                        or detects that unauthorized individuals have gained access to customer information\n                        systems. The program should contain procedures for the following:\n\n                         a. Assessing the nature and scope of an incident and identifying which customer\n                        information systems and types of customer information have been accessed or\n                        misused.\n                         b. Notifying its primary federal regulator as soon as possible when the institution\n                        becomes aware of an incident involving unauthorized access to, or use of, sensitive\n                        customer information.\n                         c. Notifying appropriate law enforcement authorities and filing a timely\n                        Suspicious Activity Report in situations involving federal criminal violations\n                        requiring immediate attention.\n\n\n\n\n                                                    19\n\x0c                                                                                     APPENDIX III\n\n\n                         d. Taking appropriate steps to contain and control the incident to prevent further\n                        unauthorized access to, or use of, customer information.\n                         e. Notifying customers when warranted.\n\nScoping Memorandum A document that provides details on the organization, scope of the upcoming\n                   examination, data centers to be included in the examination, examination schedule,\n                   and resource requirements. The document, which is submitted to the FFIEC IT\n                   Subcommittee for approval, identifies the risks highlighted in the last examinations\n                   and areas for further review and outlines the examination\xe2\x80\x99s objectives, assignments,\n                   workday budget, and other relevant information.\n\nSensitive Customer      Sensitive customer information is a customer's name, address, or telephone number,\nInformation             in conjunction with the customer's Social Security number, driver's license number,\n                        account number, credit or debit card number, or a personal identification number or\n                        password that would permit access to the customer's account. Sensitive customer\n                        information also includes any combination of components of customer information,\n                        such as user name or password or password and account number, that would allow\n                        someone to log onto or access the customer's account.\n\nService Provider        Any person or entity that maintains, processes, or otherwise is permitted access to\n                        customer information or consumer information through its provision of services\n                        directly to a financial institution.\n\nTechnology Service      TSPs include independent data centers, including MDPSs, joint venture/limited\nProvider (TSP)          liability corporations, and bank service corporations.\n\n\n\n\n                                                    20\n\x0c                       APPENDIX IV\n\n\nCORPORATION COMMENTS\n\n\n\n\n         21\n\x0c     APPENDIX IV\n\n\n\n\n22\n\x0c                                                                                        APPENDIX V\n\n\n                MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and\nthe status of the recommendations as of the date of report issuance.\n\n\n    Rec. No.      Corrective Action: Taken          Expected       Monetary      Resolved:a     Open or\n                         or Planned                Completion      Benefits      Yes or No      Closedb\n                                                      Date\n\n        1         DSC will emphasize to the        March 28,           $0        Yes           Open\n                  FDIC regions the                 2008\n                  importance of documenting\n                  adequate conclusions for\n                  key security control areas.\n\n        2         DSC has begun quality            October             $0        Yes           Open\n                  assurance reviews of             2007\n                  documentation prepared by\n                  FDIC examiners for\n                  examinations of TSPs in the\n                  MDPS program where the\n                  FDIC is the Agency-in-\n                  Charge.\n\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is\n                   consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is\n                   acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are effective,\nthe recommendation can be closed.\n\n\n\n\n                                                    23\n\x0c"